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Event Name 


Constituent Event Types 


Pattern 


Sc p 


FileEdited 


RIeRead, RleWrite. RleReadWiite 


Same processid and fileHandle. 

before Hasii of first read & afterHash of last write differ. 

Both reads and writes to same fileHandle. 

Sum of writes > 0. 


Thread 


1 IIO\ii/\i#^f%3\J 


RieRead. RIeWrite. RIeReadWrite. 
RieCopy 


Command shell: Alte mating reads & writes. The reads ail have one 
filehandle. the writes all have a second one. 

Pvnlorfir A lono ^princ cA mfiH^ from ono filohanHIo fnllnwoH Vwt a 

long series of writes to a second. Mind the time period between. 
In tx)th cases, the target device must not be removable. 


t nreau 


FileSaveAs 


RieRead. RIeWrite. RIeReadWrite 


/"ec-Ai <>4cy w^orff "H-v wr^c^c^U- 


Process 


RIeLeftThroughRemovableMedia 


RieRead. RIeWrite, RIeReadWrite, 
RIeCopy 


Same as RleCopied or RIeSaveAs. but target device is removable. 


Process 


CilpboardToRle 


Clipt)oardCutCopy. CllpboardPaste 


Pair a ClipboardCutCopy with all subsequent CllpboardPaste 
events for that user login until the next copy or the user logs out. 

Problem* If the user (Hoses the aoolication that narformBd the coov 

and the object was large and the user opts not to keep it there, 
what happens? 


Login 


PrintRIa 


Print, possibly others 


Unclear. If there are temp files, intermediate PDF files, etc. then we 
may perform a chain of custody analysis to figure out just what was 
printed. 


Thread 


BumMaster 


RieRead. RIeWrite 


An app known to bum files reads one or more files then writes a 
file. 


Process 


BumRle 


COWrite. RieRead 


Application is recognized as a CO writing app. (Optional) 

Series of RIe Reads from one fileHandle, followed by a series of 
COWrite events with the same process. May need to compare 
filenames, otherwise one read will exhaust all the writes. 
Aitemately. all read files are lumped together with one large bum 
event. Or periiaps the first read of a new file after the last read from 
the previous file is the start-of the next bum event. 


Process 


RIeLeftThroughNetwori<Poft 


RieRead, 

TCPfP Inbound, TCPIPOutbound. 
UDPInbound. UDPOutbound. 
IPSECInbound. IPSECOutbound 


An overiapping stream of RIeReads interspersed with inbound and 
Outbound networt< events. 

All the networi< events should be for the same port (?) and to a 
destination NOT on locaihost. 

All the network events should be for the same protocol. 


Thread 
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EmaiJFUe 


FtleRead. 

TCPIPfnbound, TCPIPOutbound. 
(other protocols???) 


Similar to FUeLeftThroughNetworkPoft. Comt)tnes ail Interleaving 
RIeReads vw'th the netvMsrk events. 

The application Image name Is one of those known to be an email 
program. 

May place constraints on the ports, since many emailers use 
certain well defined ports for SMTP. POP etc. 


Process 


InstantMessenger 


RieRead. 

TCPIPInbound. TCPIPOutbound. 
(other protocols???) 


Similar to RIeLeftThroughNetworkPort. Combines all intarleavtng 
RIeReads with the network evertts. 

The application image name is one of those known to be used for 
Instant Messenger. 

May place constraints on the ports. 


Process 


P2PAPP 


RIeRead. 

TCPIPInbound, TCPIPOutbound, 
UOPInbound, UOPOutbound. 
tPSEClnbound, IPSECOutbound 


Constrain the application name to be one of those known to be a 
P2PApp. 

Multiple ports will be used: some or ail of them may have 
constraints. 

May constrain the protocol per app or per instance. 

Similar to RIeLeftThroughNetworkPort as concerns interleaved file 
reads. 


Process 




RIeRead. RIeWrite. 
??? (TCPIPlnbound, 
TCPIPOutbound) 


May want to split into two events, one for reading and one for 
writing. 

Constrain to the common FTP port, unless the app is known by 
name to be an FTP client. 

Uke RleteftThroughNetwoikPort. look for interleaved reads and 
network events, or Interleaved writes and network events. 


Process 


RemotsAccess 


TCPIPlnbound, TCPIPOutbound. 
UOPInbound, UDPOutbound. 
iPSECInbound. IPSECOutbound 


Do not incorporate RIeRead events. 

Several ports may be used. 

Look for known image names of remote apps. 


Process 


TunnelOut 


TCPIPlnbound, TCPIPOutbound. 
UDPInbound. UDPOutbound, 
IPSECInbound. IPSECOutbound 


All events use same protocol. Only two processes used. 
Two different apps and four ports are used. One of the ports is 
remote. 

Event 1 : The first app sends outbound from local port i to local port 

2. 

Event 2: The second app (the tunneler) receives inbound from local 
port 1 to local port 2. 

Event 3: The tunneler also sends from local port 3 to remote port 4. 
Both events of the tunneler share the same thread (probably). 


Login 


Tunnelln 


1 Wr^if^inoouna* i irwmoounu, 
UDPInbound. UDPOutbound. 
IPSECInbound. IPSECOutbound 


All events use same protocol. Only two processes used. 
Two different apps and four ports are used. One of the ports is 
remote. 

Event 1 : The first app (the tunneler) receives inbound from remote 
port 1 to local pon 2. 

Event 2: The tunneler sends outbound from local port 2 to local 
port 3. 

Event 3: The second app also receives intwund from local port 3 to 
local port 4. 

Both events of the tunneler share the same thread (probably). 


Login 


TunneilnOut 


TCPIPlnbound. TCPIPOutbound. 
UDPInbound, UDPOutbound. 

IPSECInbound, IPSECOutbound 


Multiple protocols may be used. More research needed. More than 

three ports are used. 


Login 
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FHeLaftThfoughTunnel 


FtleRead. TunnelOut 


Similar to RlaLaftThroughNetworkPort. Combines ail imeflaaving 
RIeReads im^otving a process that is participating in a TunnelOut 
event 

If more than one file is read, the source destination will be a count 
of the files read. 


Login? 
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